Some details on the eThekwini Municipality vulnerability

Here are some extra details on what happened yesterday.

Here is the MyBroadband article for context.


At 12pm 7 September a colleague of mine received the email from eThekwini, and told me the password was in plain text.

Presumably they were staging emails because at at 4:31pm 7 September I received the same email. The password was in plain-text, and was my actual password, not a newly generated one.
This means they were either storing the passwords in plain-text, or encrypting them and storing that – both of which are obviously bad, because if they can decrypt it, chances are so can someone else.

20 minutes later I tweeted the image.

Immediately after tweeting I logged in, saw the obvious issue with viewing other peoples data, and emailed them to let them know that there was a problem – I did not tweet about this.
Werner Van Deventer emailed them at the same time (note that the 5:50pm tweet that @matthewsavides refers to is the one at 4:50PM linked above).

Werner emailed someone directly at eThekwini, along with CC’ing their public address, with lots of detail.

From: Werner van Deventer
Sent: 07 September 2016 04:55 PM
Cc: Revline
Subject: eServices security disaster
I got your email address from a customer survey email sent a while back. This new site has serious security problems that were not difficult to identify.
Today I got an email with my account password in plain text, this clearly means you are not hashing or securing passwords in your database. I am unable to change my password to something more secure so this is left exposed.
The site does not use SSL, so all logins and activity is exposed over the network in plain text for anyone to intercept.
You have an account enumeration exploit on your forgot password page, so it’s easy to find out registered email addresses.
You can request anyone’s bill with an account number and date, without being logged in!
Not my bill for example:
Getting account numbers and other personal information (ID numbers, phone numbers, email addresses) is not difficult either since you can view and edit anyone’s details by changing the customer ID in the URL. This is extremely serious as you are exposing sensitive information about customers including their account number to access their municipal bills. – [NAME REMOVED] – [NAME REMOVED] – [NAME REMOVED]
It appears as though you are also able to edit this information quite easily which could completely corrupt your database and prevent people from getting their bills. Anyone can register for an eServices account and perform these exploits.
I strongly suggest switching off this site and fixing the problems as you are exposing people’s personal information including my own.


He received a response at 8:01 AM the following day.

Date: Thu, Sep 8, 2016 at 8:01 AM
Subject: RE: eServices security disaster
To: Werner
Good Day Werner
I have forwarded your email to the relevant team, to look at the issues you mentioned below.


(Back to the 7th)
Right after emailing them, I contacted Jan Vermeulen from MyBroadband about it. We agreed that I’d give them some time to reply, and then if they didn’t respond to me he would get the MyBB media team to contact them and give them 48 hours before publishing anything publically.

At around 11PM 7 September, Werner DM’d them on twitter urging them to take the site down. He then DM’d them again at about 11AM 8 September, 3 hours after the reply from [NAME REMOVED] above.

Werner also attempted a call to their call center on the morning of the 8th but was not able to get through – presumably they were handling lots of calls about the new system in general.

At around 12PM the next day (8 September), Taylor Gibb posted a blog post about it

At 1:14PM eThekwini replied on Twitter

An hour later, around 2 PM they took the site down, and it is still down as of right now.

Around the same time MyBroadband published their article (obviously the 48 hour responsible disclosure no longer applied at this stage).


The URL to a particular profile is:
[When the site was up] a person needed to be logged into the site to access the page. However, once logged in you could change that customerId to anything and view their profile.
I wish it was the first time I had seen something this bad in production.

While viewing someone else’s account it looked like you could access as much as you could on your own profile. This included residential addresses, ID number, cell and phone numbers, email address, and yes, password.

You could also access bills for any user, even without being logged in. Not only that, but Werner was able to access bills for hours after the site was “taken offline”.

Werner confirmed that you could edit someone else’s details, since the ID of the user was stored in a hidden field and POST’ed to the server, instead of using the ID of the actual logged in user.

This is a screenshot of me viewing someone else’s account.

The ID’s were incremental, and went up to just over 300,000. @brutaldev confirmed that of those, around 98,000 were tied to real customers.

As of right now it is safe to assume that that entire dataset has been scraped by at least one [but probably multiple] person with ill-intent.

Also, as of right now, eThekwini has not notified anyone that their personal detail have been compromised.
Taylor and Cath received an email from eThekwini about a possible breach, but neither Werner, my colleague, or myself have received it.
This is a pretty big problem, and it totally irresponsible. Besides personal details, many people use their same password in multiple places (shame on you!).

This is the email they sent out

From: eThekwini Municipality Press Release <>
Date: Thu, Sep 8, 2016 at 8:34 PM
08 September 2016
EThekwini Municipality is investigating claims that information is being shared relating to customers’ accounts and as a precautionary measure, the Municipality has taken the site offline in order to prevent any unauthorised access to our client data.
It is envisaged that the site will be back online on Monday, 12 September 2016 and in the meantime eServices users can contact the Revenue call centre on 031 324 5000.
Should customers prefer to email or fax their query they may do so on the following contact details:
Email address – / Fax 031 324 5111.
All eServices users are asked not to panic because the City has acted proactively to protect their private information.
Issued by eThekwini Municipality’s Head of Communications, Tozi Mthethwa.
For more information members of the media can contact Princess Nkabane on 031 311 4818 or or Gugu Mbonambi on 031 311 4855 or email

The password I had tied to my account was a crazy bad one that I can only assume I put in never intending to the use the account (which I didn’t – I only knew I had an account when I got the email).

Anyway, go make sure you didn’t use the same password twice!


FlappyHand: Unity3D game with an ESP8266 Arduino (Wemos) controller over WiFi

I thought it would be fun to make a little FlappyBird clone using an ultrasonic sensor as the controller.
So I threw this together yesterday:

What you’re seeing there is an ultrasonic sensor on the table reading how far my hand is away from it, then it sends that value over WiFi to the Unity3D game, which then maps that to the plane movements.
Continue reading

Unity3D Mesh Collider vs. Box Collider

Logic tells us that a box collider in Unity3D will be more performant than a mesh collider simply because it is less complex. But I had an impulse a couple days ago to test it out myself. This doesn’t really scratch the surface of every use-case.

I went to the AssetStore and picked out a fairly simple free armchair model. I then made two different prefabs, one with a convex mesh collider, and the other with a box collider.

Chair collidersThen I made a script to spawn a 40×40 grid of a type and let them fall onto two planes. That means a total of 1600 armchairs were doing discrete physics updates, which will kill even the best of the PC master-race.


On the left side we have the mesh collider, and on the right is the box collider. Click the gif to goto a full-size version which has a bar to manually scrub through.

As expected, the summary is that the mesh collider is incredibly slower (sometimes even 20x slower) than the box collider. And in this case the mesh collider is actually pretty simple. Something worth pointing out is that although the graphs sort of line up, their scale is totally different, so take a proper look at the number on it.


Now for bonus points, here is a pretty scene of a stupid amount of spheres attacking the streets of New York.

Nuget: Your project.json doesn’t list ‘win10-x86’ as a targeted runtime

Recently I was working on a small UWP app on my SurfaceBook and everything was fine. But when I pulled the code from GitHub down to my main machine I got the following error:

Your project.json doesn’t list ‘win10-x86’ as a targeted runtime. You should add ‘”win10-x86″: { }’ inside your “runtimes” section in your project.json, and then re-run NuGet restore. 

After a while I figured out that this error is totally misleading, and the real problem is that your Nuget package source has been disabled. I have a feeling this was related to installing Visual Studio 15 preview.

Anyway, to fix it: Click Tools > Options > NuGet Package Manager > Package Sources, and then re-enable (or re-add) the sources.NuGet Package Manager

Full Netflix vs ShowMax South Africa Catalogues

A couple of years ago I wrote a guide for getting Netflix in South Africa, which still gets thousands of hits a month. A lot has changed since then – notably, Netflix has finally launched in South Africa, and a bunch of local VOD services have launched (ShowMax, Vidi, and some other small ones).

But even though Netflix is now in SA, the content is really limited. This isn’t Netflix’ fault, but comes down to licensing and what makes commercial sense. For this reason, the guide linked at the top is still 100% valid, and will open up tons of extra content.

Since the Netflix SA launch there has been lots of media comparing Netflix with ShowMax (and others), however none of them really go into any detail, and the actual data they have seems pretty inaccurate.

So I crunched the numbers!

Netflix vs. ShowMax January 2016 Continue reading

Simple network discovery to find Netduinos from Windows

With the advent of Internet-of-Things things, you’ll probably need a decent way to actually find all of the things on your network.

Fun fact: If you send a UDP packet to *.255 on your network, your router will then send that along to all the devices on your network. So if your local network is on 192.168.1.x, then send it to Or if you want to send it to everything, then you can send to

In my case, I’ve got this awesome little guy…

Netduino 3 WiFi

…setup with DHCP, so the IP occasionally changes. I’ve got a Windows 10 app that needs to connect to it, so we can use the way above to find the Netduino on the network.

Continue reading


Vox Telecom Windows App

We recently switched from Afrihost “Business” Uncapped to Vox Telecom capped so that we could do cool things like actually load websites and stuff. However monitoring cap from their website is quite a pain

So I made a Windows Universal app in a few evenings. It’s been in the store for a couple weeks now and it seems to be working well for people, so I’m posting here.
Continue reading